What is the Report?
The DPC’s regulatory report (the Report) encapsulates the DPC’s two-year experience and assessment of the EU General Data Protection Regulation (the GDPR). It focuses on the broad scope of regulatory tasks carried out by the DPC during the period from 25 May 2018 to 25 May 2020 and showcases the large volume of work the DPC undertakes as a key data protection regulator (in particular of the technology and social media sectors) within the European Union.
Some of the key regulatory tasks handled by the DPC include its support for individuals and industry, its engagement with other data protection authorities and stakeholders and its regulatory and enforcement outputs.
The key points arising from the Report are set out below.
1. Mass upsurge in communications and DPC dealing with queries 53% faster
The Report asserts that data protection is now deeply embedded into the “public consciousness”. Evidence of this position in the Report is clear with over 86,000 data subject communications being filed with the DPC between 25 May 2018 and 25 May 2020. This significant increase in data subject communications includes: 40,000 e-mails, 36,000 phone calls and 8,000 postal contacts to the DPC. The DPC reports that 15,025 of these communications resulted in cases or queries being considered by the DPC, 80% of which are now concluded. Notably only 7.96% of these cases/queries were amicably resolved and no more than 22.62% concerned access requests. The Report also outlined that the DPC records and categorises all cases/queries within a centralised database, regardless of complexity.
The Report highlights to businesses that in the DPC’s opinion a high volume of these cases/queries could have been resolved without resort to the DPC, by data subjects seeking to resolve their issues directly with controllers/data protection officers (DPOs). As such, the Report strongly encourages proactive resolution of complaints between businesses and data subjects.
The Report also makes clear that the DPC have greatly improved its case/query conclusion time and that it will continue to focus on this in the future.
2. Ignorance of the law is not an excuse
In the Report, the DPC reminds businesses that the right of access under the GDPR, and complaints relating to the handling of data subject access requests (DSARs), continue to be the main reason for communications to the DPC.
The DPC mentions, in particular, the lack of knowledge on the part of controllers about DSAR exemptions. The DPC reminds controllers that it has published guidance on DSAR exemptions (available here) and that controllers must ensure that they make the necessary resources available to ensure DSARs are effectively dealt with and exemptions correctly applied.
3. Amicable resolution is the DPC’s preferred approach where possible
The DPC’s preferred approach to data subject complaints is amicable resolution between individuals and controllers/DPOs, where feasible and appropriate.
The amicable resolution mechanism operates pursuant to Section 109 of the Irish Data Protection Act 2018. It entails the DPC mediating between both the data subject and controller / DPO to try to amicably resolve the issue at hand. Approximately 8% of active cases before the DPC are dealt with subject to this mechanism.
4. Lack of due care and attention the biggest cause of personal data breaches
Notably 12,437 personal data breach notifications were filed with the DPC by controllers between 25 May 2018 and 25 May 2020, 94.88% of which are now concluded (11,800 cases) and 5.12% remain active. The DPC notes that Q2 of 2020 saw a decline in notifications – while the reasons for this position are unknown, it is likely that the emergence of the COVID-19 crisis in Ireland is a contributory factor.
Human error remains the headline cause of personal data breaches due to the processing of personal data manually, and to a lesser extent digitally. 80% of breaches reported to the DPC relate to unauthorised disclosure. Only 5.6% of breaches related to phishing, hacking or lost devices.
5. More enforcement and fines coming
As well as its recent fine imposed on TULSA, the DPC has opened 24 cross-border inquiries and 53 national inquiries across a variety of sectors in the two-year period since the introduction of the GDPR. Some notable enforcement actions include:
- Sending its first major-scale draft decision to the European Data Protection Board on its investigation into Twitter’s handling of a personal data breach; and
- Participating in nine litigation cases including the DPC v. Facebook Ireland Limited and Maximillian Schrems which is currently pending judgment in the Court of Justice of the European Union (read more here).
Without doubt, these enforcement actions will lead to more fines, supervisory actions and “naming and shaming” by the DPC in the coming months. Indeed, 5 October 2020 marks the deadline for websites and apps to comply with the DPC’s recently published cookies guidance (read more here).
Next two-years of GDPR in Ireland
The DPC notes that the sheer volume of cases it manages shows no signs of abating. It expects to see continued growth in the number of cases it has to deal with in the coming years. Notwithstanding increases in funding since 2014, the DPC highlights the “considerable disparity” which continues to exist between its workload and resources/budget.
The William Fry Technology & Data Protection team will continue to monitor all relevant developments. Our team are on hand to advise on any queries you may have arising from the Report or other issues raised in this article. Please contact any member of the Technology team or your usual William Fry contact to discuss.
Contributed by: Kate Corcoran and Rachel Hayes